I needed to have rw for user only permissions on config. This fixed it.
chmod 600 ~/.ssh/config
As others have noted below, it could be the file owner. (upvote them!)
chown $USER ~/.ssh/config
If your whole folder has invalid permissions here's a table of possible permissions:
Path |
Permission |
.ssh directory (code) |
0700 (drwx------) |
private keys (ex: id_rsa ) (code) |
0600 (-rw-------) |
config |
0600 (-rw-------) |
public keys (*.pub ex: id_rsa.pub ) |
0644 (-rw-r--r--) |
authorized_keys (code) |
0644 (-rw-r--r--) |
known_hosts |
0644 (-rw-r--r--) |
Sources:
I've recently hit a similar issue, albeit a slightly different. I wanted to route only TCP port 25 (SMTP) over an OpenVPN tap0 interface, while routing all other traffic (even for the same host) over the default interface.
To do so, I had to mark packets and set up rules for handling it. First, add a rule that make the kernel route packets marked with 2
through table 3
(explained later):
ip rule add fwmark 2 table 3
You could have added a symbolic name to /etc/iproute2/rt_tables
, but I did not bother to do so. The number 2
and 3
are randomly chosen. In fact, these can be the same but for clarity I did not do it in this example (although I do it in my own setup).
Add a route for redirecting traffic over a different interface, assuming the gateway being 10.0.0.1
:
ip route add default via 10.0.0.1 table 3
Very important! Flush your routing cache, otherwise you will not get a response back and sit with your hands in your hair for some hours:
ip route flush cache
Now, set a firewall rule for marking designated packets:
iptables -t mangle -A OUTPUT -p tcp --dport 465 -j MARK --set-mark 2
The above rule applies only if the packets come from the local machine. See http://inai.de/images/nf-packet-flow.png. Adjust it to your requirements. For instance, if you only want to route outgoing HTTP traffic over the tap0
interface, change 465 to 80.
To prevent the packets sent over tap0
getting your LAN address as source IP, use the following rule to change it to your interface address (assuming 10.0.0.2
as IP address for interface tap0
):
iptables -t nat -A POSTROUTING -o tap0 -j SNAT --to-source 10.0.0.2
Finally, relax the reverse path source validation. Some suggest you to set it to 0
, but 2
seems a better choice according to https://www.kernel.org/doc/Documentation/networking/ip-sysctl.txt. If you skip this, you will receive packets (this can be confirmed using tcpdump -i tap0 -n
), but packets do not get accepted. The command to change the setting so packets get accepted:
sysctl -w net.ipv4.conf.tap0.rp_filter=2
Best Answer
mangle's PREROUTING is for altering incoming packets before routing and OUTPUT for altering locally-generated packets before routing. Hence PREROUTING is needless (for local connections). But
OUTPUT
should have worked, though. You don't need to specify source address in firewall rules usually, since it would be "locally-generated packets" anyway.And another thing to remember is no-one gonna change source IP just due to you've marked the packet and it would be routed with another route table — you'd need to use NAT explicitly for that. In terms of Linux' iptables it has to be SNAT. And "This target is only valid in the nat table, in the POSTROUTING chain", as the man says. Although I personally prefer its subspecies
MASQUERADE
which is more handy for that, cause you don't have to bother with IP-addresses hard coding.